Setting up a Customer Master Key in AWS KMS

In this section, we will create a Customer Master Key (CMK) in AWS KMS. You must have an AWS account that has permission to create and manage CMK objects.

Create Customer Master Key

Navigate to https://us-west-1.console.aws.amazon.com/kms, and select the region you want to use for creating a new Customer Master Key.

Click on the “Create Key” button:

Customer Managed Keys

Select “Symmetric” for the Key Type:

Key Type

Enter a name/description for the CMK:

Add labels

Pick an administrator to manage the CMK object:

Select your own account so that you can manage the key (more specifically, update the policy attached to that key).

Define key admin permissions

Skip the screen that grants permissions to access the key:

The final permissions will be set up at a later time.

Define key usage permissions

Review the key policy:

For this example, make sure that the action “kms:Encrypt” is specified in one of the Statement element in the policy. This will give you the ability to encrypt data using this CMK. In the example below, the “kms:Encrypt” is granted to the administrator of the key (your account). This is for demonstration purpose only, in a typical deployment, KMS key administrators are not authorized to perform the “kms:Encrypt” or “kms:Decrypt” actions.

The policy should look like this (<ACCOUNT> and <USER> should reflect your settings):

{
    "Id": "key-consolepolicy-3",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT>:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow access for Key Administrators",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<ACCOUNT>:user/<USER>"
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:Encrypt",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:TagResource",
                "kms:UntagResource",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        }
    ]
}

Summary:

Summary of Success

Congratulations! You have created a Customer Master Key in AWS KMS. Take a note of the Amazon Resource Name (ARN) of your key, as you will need it later. It should look like this (replace <REGION>, <ACCOUNT> and <KEY-ID> with the values for your environment):

arn:aws:kms:<REGION>:<ACCOUNT>:key/<KEY-ID>